In my editorial I reflected on the added value of the audit for the audited company. In this article I would like to continue this theme.
The auditing standards governing the conduct of the audit require the auditor to communicate with management and those charged with governance about significant audit findings, particularly identified deficiencies in the internal control system affecting financial reporting, his or her views on qualitative aspects of management's application of accounting procedures, and other difficulties encountered during the audit. The audit of financial statements as it stands today is not an audit of the accuracy of the accounting records but is a process based on an assessment of the risks of material misstatement, which is based on a good understanding of the audited company's (entity's) operations and an understanding of its control environment in relation to financial reporting.
It is through this process that the auditor should be able to identify potential deficiencies and, as one of the by-products of the audit, provide management with information and suggestions for improvement, including practical recommendations.
For the sake of correct interpretation, I would add that these are findings related to internal processes and internal controls where we see room for improvement and greater efficiency. We are not talking here about the occurrence of non-conformities, i.e. misstatements in the financial statements, which have an impact on the outcome of the audit itself and the auditor's opinion.
What are some of the most common findings we encounter with our audit clients?
In collaboration with other audit partners, we reviewed and evaluated the information we provided to senior representatives of audited companies over the past two years as feedback on the governance, management and internal control processes. The sample of companies examined was dominated by Czech manufacturing and trading companies or branches of multinational concerns. From approximately 500 audits of the financial statements of business entities, we communicated a total of 131 findings and related recommendations.
We have categorised these findings into five areas according to their substantive nature and have captured their relative representation in the following graph:
Auditor's most common findings
- Bookkeeping - application of accounting methods (30%)
- Taxes and transfer pricing (27%)
- Legislation (20%)
- Bookkeeping - internal processes (16%)
- Internal company processes/IT (7%)
Most of the findings (46%) concern accounting, especially the application of accounting methods by companies. Companies often make mistakes in operations with accounting estimates (e.g. creation of provisions and reserves, setting accounting depreciation according to tax depreciation, accounting for derivatives) and in the area of inventories it concerns calculations for manufacturing companies.
For accounting estimates, by definition, subsequent reality often differs from the original estimate. In other words, accounting estimates inherently involve a degree of uncertainty, some greater, some lesser. Often, we find that management of companies, in making relatively routine accounting estimates such as allowances for receivables or inventories, or for certain types of provisions, use historically established practices in the sense of "...we've just always done it that way" or methods established in group reporting, without regularly evaluating for themselves whether it is appropriate to continue to apply such practices in light of the particular situation and circumstances. In practice, this means having to make retrospective reviews of estimates by comparing them with subsequent reality and, in the case of major differences, reflecting on what is causing them. It may be that the chosen methodology is no longer appropriate because it may not capture all the information and facts that were and are relevant to the estimate, or the assumptions about the level of some inputs may no longer be appropriate to the circumstances.
Inappropriate use of accounting methods is also relatively common in the case of depreciation of fixed assets, which is also a category of accounting estimate. In our practice we encounter, for example, situations where we see items in the fixed asset registers that have already been fully depreciated, even though they are still in use by the company. On the other hand, we also see cases where, due to an inappropriate depreciation policy and the non-use of residual values, a company has repeatedly reported losses from its core business due to high depreciation of assets, and at the same time profits from the sale of assets disposed of that were originally used for its core business. A separate chapter is the setting of depreciation rates for financial reporting purposes in line with the depreciation applied for the purposes of determining the corporate income tax base. Of course, such depreciation of fixed assets has little to do with the real economic life of the fixed assets used by the enterprise.
In the case of own production inventory calculations, the pitfalls tend to be either the inclusion or exclusion of certain types of mainly indirect costs in the calculation formula and the methods of allocating overhead costs to the calculation unit. In the case of captive services companies, it is still the case that they do not have internal processes and systems set up to enable them to track work performed in detail for individual contracts and projects, which consequently makes it impossible to report true and reliable "earned" revenue and to reliably quantify the value of work in progress or deferred revenue at the balance sheet date.
In internal processes related to financial reporting, there are still shortcomings in the way the inventory of assets and liabilities is carried out. The lack of separation of powers and responsibilities and the absence of authorisation controls, i.e. "four-eyes control", are evergreens. In smaller companies, management is often surprised that accountants need more information from management to produce good accounts than simply receiving invoices issued and received, payroll recapitulations and bank statements, and that the accountants cannot figure out everything they need themselves without the cooperation of management and other relevant people. Well-maintained accounting and well-prepared financial statements then tend to depend on the skills and commitment of specific staff rather than being the result of well-designed (properly set up and well-described) internal policies or procedures and properly implemented (meaning actually implemented and supported, for example, by the set-up of data flow and information transmitted in information systems) processes and control mechanisms for which it is the responsibility of management. In these cases, the departure of even a single key employee can cause significant problems for the company.
TAXES AND TRANSFER PRICES
Twenty-seven percent of the findings were related to tax issues. As our clients include a significant number of concerns and international groups, we mostly encountered deficiencies in the area of transfer pricing for transactions between related parties. In practice, this includes the intra-group provision of support services (e.g. accounting, IT), the sale of products or the provision of funds between group companies. In such cases, the group has a legal obligation to demonstrate and substantiate that the transactions are at arm's length, i.e. at a price that corresponds to the same or similar transaction with an entity outside the group.
The most frequent risks here are related to the reclassification of price differences between related parties as disguised dividend payments, non-payment of withholding tax or violation of low capitalisation rules in intra-group financing.
Twenty percent of the findings were related to possible non-compliance with requirements under current legislation. Findings for 2020 were partly related to the assessment of the impact of changes in commercial law and comments on compliance with beneficial owner disclosure obligations were relatively common. For 2020 and during 2021, we also frequently drew companies' attention to the potential for certain "Covid" subsidies, where they could have applied for some type of support and have not yet taken up this opportunity.
INTERNAL COMPANY PROCESSES / IT
The remaining findings (7%) in the area of in-house processes were mainly related to IT, especially cybersecurity. Accounting is now exclusively digital. As part of the audit, the auditor must to a certain extent also be able to understand the IT environment of the audited company. Findings in this area most often concerned security weaknesses at both the governance and IT management level (such as password access policies), regular reviews of user access, insufficient procedures for monitoring security incidents at the local IT security level, and procedures relating to business continuity, security incidents and change management in general.
The approaches companies take to such findings vary. Some try to continuously improve, increase their efficiency and consistently prevent potential risks, while others say that nothing major happens until something goes wrong and appropriate measures need to be implemented. But it is often enough if something goes wrong just once and for the first time. An audit is not a panacea in itself and it is not rational to expect that the auditor will provide the business or the company management with a universal recipe for how to adjust the business model, what path to take, or where to invest to make the company more successful. However, for management to address these very fundamental issues, the audit of financial statements can be seen as one piece of the mosaic that provides management with a degree of comfort on common but necessary areas of corporate practice, thereby creating the space to focus on those critical strategic issues and priorities.
In the case of our sample of companies, it was interesting to compare the results for 2020 vs 2021 and to see how many of the recommendations were taken into account by the company's management and paid attention to in the following year. According to the results, this accounted for almost 40% of all findings and related recommendations.